Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

1. Keep Drupal core and modules up to date

Always keep Drupal core and modules up to date with the latest critical updates.

It is also recommended to use only custom modules and themes from a well-known company or from Drupal.org.

2. Specify the trusted host patterns

Drupal supports trusted host patterns, where a set of regular expressions that the domain on incoming request should match. This configuration is in settings.php

$settings['trusted_host_patterns'] = [
  '^www\.example\.com$',
];

3. Backup the website

Always make backups of the website. Database and files from the host, and keep the codebase in a git repository. It’s also recommended to backup the website before updating Drupal core and modules.

4. Usernames and passwords

Do not use the conventional admin username for the site administrator. Be smart with the usernames and choose a complex password.

When possible, inactivate the user 1, as this is the user with the greatest privileges and very often bypasses all Drupal security layers. Use regular users with administrator role instead.

5. Use Drupal security modules

  • Login Security: improves the security options in the login operation of a Drupal site. By default, Drupal introduces only basic access control denying IP access to the full content of the site.

  • Password Policy: provides a way to enforce restrictions on user passwords by defining password policies.

  • Captcha: a challenge-response test most often placed within web forms to determine whether the user is human.

  • Automated Logout: provides the ability to log users out after a specified time of inactivity.

  • Session Limit: this allows to limit the number of simultaneous sessions per user.

  • Security Kit: provides Drupal with various security-hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities.

  • Security Review: automates testing for many of the easy-to-make mistakes that render your site insecure.

6. Use an SSL certificate

If you are not running over an HTTPS connection, all your data, including username and passwords are sent in clear text over the internet.

7. Check file permissions

In this article, there are the fix-permissions.sh script that you can run that configure all files and folder permissions accordingly to the Drupal best practices. https://www.drupal.org/node/244924

8. Remove all unused modules

There is no reason to have unused code on your website.

9. Block access to Drupal sensitive files

Restrict the access to some important files like authorize.php, cron.php, install.php, update.php using the .htaccess

<FilesMatch "(authorize|cron|install|upgrade)\.php">
    Order deny, allow
    deny from all
    Allow from 127.0.0.1
</FilesMatch>

10. Review all user roles and grant the minimum necessary permissions

It’s always easier to add a new permission to a user role than removing some after they are used to what they had before.

  • No labels